===================================================================
RCS file: /cvsrepo/anoncvs/cvs/www/59.html,v
retrieving revision 1.44
retrieving revision 1.45
diff -u -r1.44 -r1.45
--- www/59.html 2016/02/25 16:08:18 1.44
+++ www/59.html 2016/02/28 01:54:57 1.45
@@ -243,15 +243,84 @@
PermitRootLogin=prohibit-password/without-password that could,
depending on compile-time configuration, permit password authentication
to root while preventing other forms of authentication.
- Eliminate the fallback from untrusted X11-forwarding to trusted
- forwarding for cases when the X server disables the SECURITY
- extension.
Fix an out of-bound read access in the packet handling code.
Further use of
explicit_bzero(3)
has been added in various buffer handling code paths to guard against
compilers aggressively doing dead-store removal.
+ ssh(1),
+ sshd(8):
+ remove unfinished and unused roaming code.
+ ssh(1):
+ eliminate fallback from untrusted X11 forwarding to trusted forwarding
+ when the X server disables the SECURITY extension.
+ ssh(1),
+ sshd(8):
+ increase the minimum modulus size supported for
+ diffie-hellman-group-exchange to 2048 bits.
+ Potentially-incompatible changes:
+
+ - This release disables a number of legacy cryptographic algorithms
+ by default in
+ ssh(1):
+
+ - Several ciphers: blowfish-cbc, cast128-cbc,
+ all arcfour variants and the rijndael-cbc aliases
+ for AES.
+
- MD5-based and truncated HMAC algorithms.
+
+
+ New/changed features:
+
+ - all: add support for RSA signatures using SHA-256/512 hash algorithms
+ based on draft-rsa-dsa-sha2-256-03.txt and
+ draft-ssh-ext-info-04.txt.
+
- ssh(1):
+ Add an AddKeysToAgent client option which can be set to
+ yes, no, ask, or confirm, and
+ defaults to no. When enabled, a private key that is used
+ during authentication will be added to
+ ssh-agent(1)
+ if it is running (with confirmation enabled if set to confirm).
+
- sshd(8):
+ add a new authorized_keys option restrict that
+ includes all current and future key restrictions
+ (no-*-forwarding, etc.).
+ Also add permissive versions of the existing restrictions, e.g.
+ no-pty -> pty. This simplifies the task of setting up
+ restricted keys and ensures they are maximally-restricted,
+ regardless of any permissions we might implement in the future.
+
- ssh(1):
+ add
+ ssh_config(5)
+ CertificateFile option to explicitly list certificates. (bz#2436)
+
- ssh-keygen(1):
+ allow
+ ssh-keygen(1)
+ to change the key comment for all supported formats.
+
- ssh-keygen(1):
+ allow fingerprinting from standard input, e.g. "ssh-keygen -lf -".
+
- ssh-keygen(1):
+ allow fingerprinting multiple public keys in a file, e.g.
+ ssh-keygen -lf ~/.ssh/authorized_keys. (bz#1319)
+
- sshd(8):
+ support none as an argument for
+ sshd_config(5)
+ Foreground and ChrootDirectory. Useful inside
+ Match blocks to override a global default. (bz#2486)
+
- ssh-keygen(1):
+ support multiple certificates (one per line) and reading from standard
+ input (using "-f -") for ssh-keygen -L.
+
- ssh-keyscan(1):
+ add ssh-keyscan -c ... flag to allow fetching certificates
+ instead of plain keys.
+
- ssh(1):
+ better handle anchored FQDNs (e.g. cvs.openbsd.org.) in
+ hostname canonicalisation - treat them as already canonical and
+ trailing '.' before matching
+ ssh_config(5).
+
The following significant bugs have been fixed in this release:
- ssh(1),
@@ -267,6 +336,107 @@
ssh-keygen(1).
- Correctly interpret the first_kex_follows option during the
initial key exchange.
+
- sftp(1):
+ existing destination directories should not terminate recursive uploads
+ (regression in openssh 6.8). (bz#2528)
+
- ssh(1),
+ sshd(8):
+ correctly send back SSH2_MSG_UNIMPLEMENTED replies to
+ unexpected messages during key exchange. (bz#2949)
+
- ssh(1):
+ refuse attempts to set ConnectionAttempts=0, which does not
+ make sense and would cause ssh to print an uninitialised stack
+ variable. (bz#2500)
+
- ssh(1):
+ fix errors when attempting to connect to scoped IPv6 addresses with
+ hostname canonicalisation enabled.
+
- sshd_config(5):
+ list a couple more options usable in Match blocks. (bz#2489)
+
- sshd(8):
+ fix PubkeyAcceptedKeyTypes +... inside a Match block.
+
- ssh(1):
+ expand tilde characters in filenames passed to -i options
+ before checking whether or not the identity file exists. Avoids
+ confusion for cases where shell doesn't expand (e.g.
+ -i ~/file vs. -i~/file). (bz#2481)
+
- ssh(1):
+ do not prepend "exec" to the shell command run by Match exec
+ in a config file, which could cause some commands to fail in certain
+ environments. (bz#2471)
+
- ssh-keyscan(1):
+ fix output for multiple hosts/addrs on one line when host hashing or
+ a non standard port is in use. (bz#2479)
+
- sshd(8):
+ skip "Could not chdir to home directory" message when
+ ChrootDirectory is active. (bz#2485)
+
- ssh(1):
+ include PubkeyAcceptedKeyTypes in ssh -G config dump.
+
- sshd(8):
+ avoid changing TunnelForwarding device flags if they are
+ already what is needed; makes it possible to use
+ tun(4)/
+ tap(4)
+ networking as non-root user if device permissions and interface flags
+ are pre-established.
+
- ssh(1),
+ sshd(8):
+ RekeyLimits could be exceeded by one packet. (bz#2521)
+
- ssh(1):
+ fix multiplexing master failure to notice client exit.
+
- ssh(1),
+ ssh-agent(1):
+ avoid fatal() for PKCS11 tokens that present empty key IDs.
+ (bz#1773)
+
- sshd(8):
+ avoid
+ printf(3)
+ of NULL argument. (bz#2535)
+
- ssh(1),
+ sshd(8):
+ allow RekeyLimits larger than 4GB. (bz#2521)
+
- ssh-agent(1),
+ sshd(8):
+ fix several bugs in (unused) KRL signature support.
+
- ssh(1),
+ sshd(8):
+ fix connections with peers that use the key exchange guess feature of
+ the protocol. (bz#2515)
+
- sshd(8):
+ include remote port number in log messages. (bz#2503)
+
- ssh(1):
+ don't try to load SSHv1 private key when compiled without SSHv1
+ support. (bz#2505)
+
- ssh-agent(1),
+ ssh(1):
+ fix incorrect error messages during key loading and signing errors.
+ (bz#2507)
+
- ssh-keygen(1):
+ don't leave empty temporary files when performing known_hosts
+ file edits when known_hosts doesn't exist.
+
- sshd(8):
+ correct packet format for tcpip-forward replies for requests that
+ don't allocate a port. (bz#2509)
+
- ssh(1),
+ sshd(8):
+ fix possible hang on closed output. (bz#2469)
+
- ssh(1):
+ expand %i in ControlPath to UID. (bz#2449)
+
- ssh(1),
+ sshd(8):
+ fix return type of openssh_RSA_verify. (bz#2460)
+
- ssh(1),
+ sshd(8):
+ fix some option parsing memory leaks. (bz#2182)
+
- ssh(1):
+ add a some debug output before DNS resolution; it's a place where
+ ssh could previously silently stall in cases of unresponsive DNS
+ servers. (bz#2433)
+
- ssh(1):
+ remove spurious newline in visual hostkey. (bz#2686)
+
- ssh(1):
+ fix printing (ssh -G ...) of HostKeyAlgorithms=+...
+
- ssh(1):
+ fix expansion of HostkeyAlgorithms=+...